High Integrity Systems Symposium

June 3, 2015, Simula Research Laboratory, Oslo, Norway

Participation is open and free* - Register by May 28th!

About

Software has become an essential part of our critical national infrastructure, such as transport systems, banking industries, and energy generation, and a key element in various other aspects of our life, devices in the medical and automotive sector. The failure of such software based systems can have profound consequences, for individuals that use them, for companies that are responsible for delivering them, as well as for the society at large.

High integrity software and system engineering used to be the realm of avionics and the military, but with today's highly interconnected and mobile systems, it is increasingly needed for common applications to be able to demonstrate their reliability, robustness, safety, security and maintainability. As such, sound technologies that can address these high integrity concerns in an efficient manner are one of today's key engineering challenges.

The one day High Integrity Systems Symposium at Simula will bring together researchers and practitioners from various domains, such as air traffic control, space, e-health, robotics, e-voting/e-government, energy/nuclear, rail and communication infrastructure. The main goal is to create a platform where industry and research can meet and discuss needs, challenges and opportunities in the area of high integrity systems. A second goal is organize the various high integrity stakeholders in a national High Integrity Systems Forum that will focus on establishing a community with joint interests and serve as driving force behind future editions of the High Integrity Systems Symposium.

The symposium will feature keynote talks from leading experts, presentations on current technology and experiences by researchers and practitioners and a (rotating) discussion panel. Social and networking opportunities will be created by a joint lunch, a networking reception after the talks and and a joint dinner. We aim at 50-80 participants, mostly from Norway, with an equal mix of industrial and academic participants. We also aim at inviting a small number (4-5) of high profile international experts in the field, either as keynote speaker or as discussion leader.

* Please note that attendance is by registration only. There is no attendance fee, however, please appreciate that space is limited and catering needs to be booked in advance. For this reason, even though participation to the workshop is free of charge, there will be a cancellation fee of NOK 1000 for those who register but subsequently do not attend.

Location

Simula can be easily reached by public transport or by car. From Oslo Airport, there is a direct train connection to Lysaker station, and a short ~5-10min busride from there. Hotels are available both in Oslo centre, and in the near surroundings of Simula.

Directions by Public Transport: Take the train to Skøyen or Lysaker station which both have regular bus departures to Fornebu. The following bus routes stop at IT Fornebu: 28, 24, 31, 31E and 36E. If you are going by bus directly from the centre of Oslo, bus 31E or 36E are the fastest. The bus stop closest to Simula is called 'IT Fornebu'. For more information and schedules look at Ruter or call 177 (within Oslo/Akershus).

After you exit the bus, you will see the orange hub in the middle of 'Portalbygget'. You need to walk down the stairs beneath it to get to the main entrance hall ('Kai Fjell-hallen' / 'Resepsjon') of 'Terminalbygget'. Take the stairs that go up right before the reception, and you will find Simulas main entrance on the 3rd floor. Please ring the bell and we will open for you. If you need to use the elevator, call Simula at 67 82 82 00. Please ask for directions in IT Fornebu's reception.

Directions by Car: Follow directions towards Fornebu and then follow the signs for Snarøya. After you have passed the Telenor building, follow the road straight ahead through a junction and then take the second exit ('Rolfsbuktveien') at the first roundabout. Drive past the orange hub/building and take the first turn left at the corner of the HP-builing. Guests can park for a fee in the underground parking house between 'Terminalbygget' and the new Statoil building. Take the stairs/lift up and walk to the reception. From there you can follow the directions given above. Keep in mind that driving patterns may change due to the construction work going on at IT Fornebu.

Speakers

Tim Kelly, University of York, UK

Tim Kelly is Professor of High Integrity Systems within the Department of Computer Science at the University of York. He is perhaps best known for his work on system and software safety case development, particularly his work on refining and extending the Goal Structuring Notation (GSN). His research interests include safety case management, software safety analysis and justification, software architecture safety, certification of adaptive and learning systems, and the dependability of “Systems of Systems”. He has supervised many research projects in these areas with funding and support from Airbus, BAE SYSTEMS, Data Systems and Solutions, DTI, EPSRC, ERA Technology, Ministry of Defence, QinetiQ and Rolls-Royce. He has published over 150 papers on high integrity systems development and justification in international journals and conferences.

Ahmed Elmokashfi, Simula Research Laboratory, Norway

Ahmed Elmokashfi is a Research Scientist at Simula Research Laboratory. He is currently leading the NorNet and MobRob projects which focus on measuring and assessing the robustness and performance of mobile broadband networks in Norway. His research focuses on the measurement and quantification of robustness in mobile broadband networks; the resilience, scalability, and evolution of the Internet infrastructure; and the understanding of dynamical complex systems.

Håkon Styri, Agency for Public Management and eGovernment (Difi), Norway

Håkon Styri is senior adviser at the Information Security Section at the Agency for Public Management and eGovernment in Norway. His working experience covers research and development, consulting, and 10 years as senior adviser for various authorities in the civil service. Styri has worked as research scientist at SINTEF, systems designer at Norsk Data AS, various research positions at Telenor R&D, and managed his own consultancy business. He received a BSc (hons) degree in computer science from Heriot-Watt University in 1985.

Einar Landre, Statoil

Einar Landre is a practicing software professional with almost 30 years of experience as a developer, architect, consultant, leader, and presenter. Currently he holds the position as leader of Statoil's value chain IT unit, where he is responsible for the products and services used to support Statoil's well construction process. He is an IEEE Certified Software Development Professional and has a Master of Science in Information Technology from the University of Strathclyde, UK.

Bjørn Axel Gran, Safetec

Bjørn Axel Gran work as team leader and specialist engineer in the Reliability department in Oslo. He also holds the positions as R&D Manager at Safetec, and Adjunct Professor (20% position) at the Department of Production and Quality Engineering, NTNU. He has experiences with research and consultant/advisory services within fields such as oil & gas, energy, nuclear, air traffic management and railways. Typical services were project management and analyses such as FTA, PSA, FMECA, HAZID/OP, ROS, Safety case, security (information security), barrier management and compliance to standards/regulations.

Markus Borg, Lund University, Sweden

Markus Borg is a newly graduated PhD, working with the Software Engineering Research Group at Lund University, Sweden. His research interests are related to alleviating information overload in large-scale software development, with a focus on information retrieval and recommendation systems. Prior to his PhD studies he worked three years as a development engineer at ABB, involved in development of an IDE for process automation. He has experience of developing software adhering to the IEC 61508 and IEC 61511 safety standards.

Peter Karpati, Institute for Energy Technology (IFE), Norway

Peter Karpati works at the Institute of Energy Technology, Software Engineering department since 2012 as a senior scientist. His current research focuses on challenges in justification of safety critical systems, especially digital instrumentation and control systems of nuclear power plants. He received his PhD from Klagenfurt University in 2007 and published in the areas of multimedia systems, healthcare informatics, security and safety modelling and justification in peer-reviewed international journals and conferences.

Rajunesh Shankar works as a CNS Inspector (Communication/Navigation/Surveillance) at the Civil Aviation Authority-Norway. He works in the Air Navigation Services section dealing primarily with safety oversight activities and interoperability. He represents CAA-Norway as a member of the National Supervisory Authorities Coordination Platform (NCP) SESAR Deployment Working Group focusing on the deployment of the Pilot Common Project (Regulation EU 716/2014) from a supervisory authority’s perspective. He also serves as the Norwegian national focal point for annual European/Local Single Sky Implementation (ESSIP/LSSIP) reporting to the European Commission.

Harold Thimbleby, Swansea University, Wales

Harold Thimbleby is professor of computer science at Swansea University, Wales. His passion is designing dependable systems to accommodate human error, especially in healthcare. Harold is an Honorary Fellow of the Royal College of Physicians, a Fellow of the Royal College of Physicians, Edinburgh, the Institute of Engineering Technology, the Learned Society of Wales, and an Honorary Fellow of the Royal Society of Arts. He is a visiting professor at UCL and at Middlesex University and has been a Royal Society Wolfson Research Merit award holder and a Royal Society Leverhulme Trust Senior Research Fellow. He is Emeritus Gresham Professor of Geometry.

16h15

Panel Discussion

Moderator: Tim Kelly, all other speakers are invited as initial panelists.

Fishbowl format: we leave one empty seat for attendees to join the panel discussion. Once someone does take that seat, one of the other panelists will step down. This can be repeated based on demand.

Schedule

There are many standards that either directly or indirectly address the development and assurance of safety-critical software (e.g. ISO 26262 for the automotive domain, EN 50128 for the railway domain, and DO-178B/C in the aerospace domain). There are easily observed differences in the details of these standards. For example, DO-178B uses the concept of Development Assurance Levels (DALs) to moderate the objectives of the standard according to the criticality of the software under development, whereas IEC 61508 uses the concept of Safety Integrity Levels (SILs) to make recommendations as to suitable design and assurance techniques according to the criticality of the software under development. The requirements and recommendations for SILs in IEC 61508 are not the same as those for DALs in DO-178B. However, underlying these differences there are a number of fundamental principles that can be observed in many of the current standards. Using a framework of 4+1 principles of software safety, this talk will discuss the essential features and challenges of current safety-critical software development.

Our society has become increasingly reliant on communication infrastructures ranging from the Internet to mobile networks. Understanding and accurately quantifying factors that determine the reliability of these networks are crucial to reducing odds of our society being crippled by large-scale cascading outages. These infrastructures, however, operate within a complex eco-system encompassing everything from the physical infrastructure they run on the top of to the policies regulating their operations. Communication networks often depend on each other to extend their coverage and to expand their capacity. They also depend on other infrastructures like power grid and fiber optic networks. Hence, the reliability of a communication network cannot be assessed in isolation and should be examined in a much broader context involving all interdependent infrastructures. This talk will broadly discuss the different factors that influence the reliability of communication infrastructures. In particular, it will focus and draw lessons from the ongoing efforts at the Centre for Resilient Network and Applications at Simula that aim at understanding and assessing the reliability of Mobile Broadband Networks in Norway.

Transition to eGovernment requires software built in a manner that are perceived as reliable and secure by society. Information security should be an important issue when building systems as well as when procuring systems. Software systems used in the public sector covers all kinds of applications. In 2015 the Agency for Public Management and eGovernment conducted a study to find the current status for addressing security in software development in the public sector. The study was performed by SINTEF and by adapting and simplifying the Building Security In Maturity Model (BSIMM) the study covers 20 entities in the Norwegian public sector. The first action using the results from this study is identifying which security practices the Agency for Public Management and eGovernment should aim at improving.

In the years to come the oil and gas industry will experience the same challenges as we have seen in automotive and aerospace, just to mention two industries where software has become an integral part of system performance. In this talk I will try to cast some light on the situation in the oil and gas industry, primarily using drilling as functional context, and try to point at how the industry from equipment vendors to operators need to rethink their software strategies. The drop in oil price combined with more difficult resources to harvest makes the need for change even more imminent than it was a year ago.

For the years 2018-2027 ambitious goals are proposed for the Norwegian transport sector. New infrastructure shall be planned and produced so that climate emissions are minimised, and the development of railway around the large cities shall be prioritised. At the same time Norwegian Railways are struggling with spending the budgets, and there are delays in operation due to problems within the signal area. In this talk I will try to cast some light on the situation in the railways. I will point at how work in new projects are organised, and discuss some challenges that will come to handle developments including high integrity systems.

Change Impact Analysis (CIA) during software evolution of safety-critical systems is a fundamental but labor-intensive task. Several researchers have proposed tool support for CIA, but very few have been evaluated in industry. We present ImpRec, a recommendation System for Software Engineering (RSSE), tailored for CIA at a company in the automation domain. Building on research from assisted tracing using information retrieval solutions, and mining software repositories, ImpRec recommends development artifacts potentially impacted when resolving incoming issue reports. In contrast to previous work on automated CIA, our approach explicitly targets development artifacts that are not source code. We evaluate ImpRec in a two-phase industrial case study. First, we measure the correctness of ImpRec's recommendations by simulating the historical inflow of 12 years' worth of issue reports in the company. Second, we assess the utility of working with ImpRec by deploying the RSSE in two development teams. Our results suggest that ImpRec presents about 40% of the true impact among the top-10 recommendations. Furthermore, user log analysis indicates that ImpRec can support CIA in industry, and developers acknowledge the value of ImpRec in interviews. In conclusion, our findings show the potential of reusing traceability associated with developers' past activities in an RSSE. However, more research is needed on how to retrain the tool once deployed, and how to adapt processes when new tools are introduced in safety-critical contexts.

Elevated safety needs, adaptation to state of the art equipment, increasing hardware and software complexity, as well as other factors challenge the current practices in safety demonstration and justification of new or modernized nuclear power plants (NPP). Our past research, focusing mainly on the digital instrumentation and control (DI&C) systems in NPPs, explored the state of practice and the challenges in related aspects by performing elicitations with nuclear regulators and by organizing expert workshops. Differences in regulatory and industrial environments and cultures in different countries lead to wide variations in safety demonstration and justification practices. However, common challenges remain with varied perceived importance. One of the main challenges identified as utmost relevant, addressed the convincing expression and argument of safety. This presentation outlines our findings from the previous year and introduces our current work towards the development of a reasoning framework for safety demonstration.

The European Air Traffic Management (ATM) system is a €8.6 billion a year industry currently handling about 33,000 flights daily. Experts forecast this increasing to nearly 45,000 flights per day by 2030 and 50,000 flights on busy days. In addition, a fragmented European airspace costs an additional €2-3 billion every year. The European airspace plans to accommodate the increasing air traffic flows, whilst reducing costs and improving safety and performance through the Single European Sky (SES) initiative and implementation of new SESAR (Single European Sky ATM Research) technologies. However, an overhaul of this size does not come without its fair share of challenges. In this talk, I will present some of the planned SESAR related changes and describe some challenges of implementing future systems from a regulators perspective.

Donald Rumsfeld (twice US Secretary of Defense) famously said something about known knowns, known unknowns, and unknown unknowns. However, because he was unaware of formal methods, he forgot the unknown knowns. Unknown knowns are things we don’t know that other people know. In almost everything to do with IT, a blatant unknown known is formal methods and how using it will save lives. In healthcare, poor IT is responsible for killing patients – and for getting nurses blamed for it. This inexcusable state of affairs is exacerbated by politicians who want to rush in with “solutions” without any evidence better than calling it “investment in IT.”(Obamacare and $29 billion for new IT comes to mind.) While the world thinks healthcare IT is perfect and even getting better, then all the problems must be hospitals and clinicians being out-of-date and incompetent, right? (Incompetent clinicians is an easy problem to solve, after all: just sack them and replace them with error-free robots.) Formal methods excel where problems are complex. This talk will discuss some eye-opening trivial problems that are completely avoidable. Except that everybody – in particular the regulators, industry and (inexcusably) the research funders – are just daydreaming in healthcare, distracted by the seductive advances of consumer IT (which isn’t even so dependable when you look more closely). If this is a High Integrity Systems Symposium, then this talk is an invitation to everyone here to help cure the blindness of unknown knowns: to help fix the ubiquitous life-threatening problems in healthcare that are going to directly affect all of us sooner or later.

16h15

Panel Discussion
Moderator: Tim Kelly, all other speakers are invited as initial panelists.

Fishbowl format: we leave one empty seat for attendees to join the panel discussion. Once someone does take that seat, one of the other panelists will step down. This can be repeated based on demand.